From Get-AzKeyVaultCertificate to Connect-ExchangeOnline -Certificate

Copper Contributor

I'm seeking examples/samples in PowerShell to utilize Certificate-Based Authentication with automated ExO Admin tasks.  

Current solution relies on a local certificate (CurrentUser\My or LocalMachine\My) and Connect-ExchangeOnline -CertificateThumbprint.  Or from a local PFX file with -CertificateFilePath.  

  I'm thinking that Azure Key Vault would be better container since the tenant has control over all credentials.  


  I have not seen sample code to go from a AzKeyVaultCertificate object to Connect-ExchangeOnline -Certificate.  Perhaps because it is so new.  Perhaps because there is a better alternative.  


  Any advice or suggestions greatly appreciated.  Thank you.  



2 Replies
best response confirmed by TerryED (Copper Contributor)

Thank you @VasilMichev.  I was missing the Get-AzKeyVaultSecret ... -AsPlainText parameter.  This works for me now:


$AzKeyVaultTenant = '<M365 Tenant ID GUID>'
$AzKeyVaultApplicationId = '<Azure Key Vault Application ID GUID>'
$AzKeyVaultCertificateThumbprint = '<LocalMachine Certificate Thumbprint>'
$AzKeyVaultName = '<Azure Key Vault Name>'
$ExoOrganization = '<M365 Tenant fully qualified domain name>'
$ExoCertificateSecretName = '<Azure Key Vault Exchange Online Certificate Name>'
$ExoAppId = '<Exchange Online App ID GUID>'


Connect-AzAccount -Tenant $AzKeyVaultTenant -ApplicationId $AzKeyVaultApplicationId -CertificateThumbprint $AzKeyVaultCertificateThumbprint -ServicePrincipal | Out-Null
    $exoKeyVaultCertificateSecret = Get-AzKeyVaultSecret -VaultName $AzKeyVaultName -Name $ExoCertificateSecretName -AsPlainText
Disconnect-AzAccount -Confirm:$FALSE | Out-Null


$exoCertificate = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList ([Convert]::FromBase64String( $exoKeyVaultCertificateSecret )), '', 'Exportable,MachineKeySet,PersistKeySet'


Connect-ExchangeOnline -Organization $ExoOrganization -AppID $ExoAppId -Certificate $exoCertificate -ShowBanner:$False
    (Get-AcceptedDomain | Where-Object { $PSItem.Default }).DomainName
Disconnect-ExchangeOnline -Confirm:$FALSE

1 best response

Accepted Solutions
best response confirmed by TerryED (Copper Contributor)